The notorious Locky ransomware has recently received an update and it is currently relying on DLL files for its distribution instead of the classic EXE binaries.
This particular ransomware has experienced more changes than any other. This is because it was created by the same cybercriminal gang, which is behind the famous Dridex banking Trojan and which owns one of the most active botnets on the Internet.
For Locky`s creators, there is no such thing as “meager means”. They have the time and the knowledge and, at most importantly, they can afford to regularly update and evolve their threat with the newest techniques so it stays under the radar.
One of the latest updates Locky received has to do with the way it is being spread and how the encryption process starts. The Cyren security company reports that recent Locky variants are being delivered as disguised DLL files instead of EXE binaries.
The encrypted files have the “.zepto” extension appended at the end, meaning this Locky version is a member of the Zepto ransomware family. Zepto is just another name for Locky, but it is still the Locky ransomware.
As mentioned, Locky has morphed numerous times over the years. For instance, Locky spam using Office documents and WSF files instead of ZIP & JS files has increased. Other versions have leveraged websites with vulnerable PHP forms to send the spam messages, instead of the, mostly used by the creators, botnets. Another Locky strain was designed to not need an Internet connection to work but its encryption algorithm was quite weak.
Thanks to these non-stopping improvements, Locky haw always managed to keep security experts on their toes. It was always one step ahead and that’s why it took them so long to finally create a decryptor.